
WHAT IS CLAIMED IS: 

K system for controlling Internet access on a network, said system 
comprising: | 

at least one access d 2vice for connecting to said network and for 
originating out-going data packets, each of said at least one access device being 
characterized by a unique hardward; address; 

a redirection server j^ccessible via the Internet; 

a network monitoriilg device for monitoring out-going data packets sent 
from said network to the Internet ajad for verifying if an originator access device of an 

out-going data packet is authorize^ for Internet access, all out-going packets originated 

II 

from authorized access devices be|ng forwarded unimpeded to the Internet and all out- 

II 

going data packets originated froi|i unauthorized access devices be being inspected for 
determination of their target desti|iation Internet websites, and for checking if a 
determined target destination Internet website matches a predetermined authentication 
server website and forwarding a corresponding out-going data packet to said 
predetermined authentication sen^pr if a match is found, said network monitoring device 
responding to a match not being f|()und by disregarding the determined destination 
Intemet website and forwarding tie out-going data packet to said redirection server; 

i 

whereby all out-going data packets to the Intemet gain access to the 
Intemet irrespective of whether their respective originator access devices are authorized 
for Intemet access. \ 



V 
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2. The system of claim 1 wherein said redirection server responds to a 
received data packet from an unauthorized originator access device by sending said 
originator access device a message injstructing it to connect to said predetermined 
authentication server. 



3. The system of claim|l wherein said authentication server responds to 
an unsolicited received data packet by feending an originator access device of said data 



packet a questionnaire form soliciting Authentication information, said questionnaire form 

! 

including a hidden reserved field and a'&st identification keyword. 



wherein said hidden reserved field is not 



4. The system of claim 



accessible by said originator access device which receives said questionnaire form. 



5. The system of claim 3 
based on address information from said 



Wherein said first identification keyword is 
network monitoring device. 



6. The system of claim 3 ^herein said network monitoring device, after 
verifying that said determined target destination hitemet website matches said 
predetermined authentication server and before forwarding the out-going data to said 
predetermined authentication server, further scans contents of said out-going data packet 

I 

in search of said first identification keywoii^ and upon locating said first identification 
keyword, generates a second identification keyword based on the unique hardware 
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address of the originator access device, said second identification keyword being inserted 
in said hidden reserved field. 



7. The system of claim 6 wherein said second identification keyword is 
additionally based on current comm^inication session information. 



8. The system of claim 6 wherein said second identification keyword is 
additionally based on location information of said network monitoring device. 



9. The system of claim 6 wherein said hidden reserved field is located 
within said out-going data packet ^predetermined number of bytes away firom said first 

I 

identification keyword. I 

10. The system of claim 6 wherein said hidden reserved field is 
immediately preceded by said firs^ identification keyword within said out-going data 
packet. 



1 1 . The system of c|aim 3 wherein said originator access device receiving 

said questionnaire form uses web bj-owsing software to supply said solicited 

P 

authentication information into saicf questionnaire form before transmitting the 

ij 

questionnaire form back to said authentication server via the Internet. 
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12. The system of (J^aim 1 wherein said authentication server responds to 
a sohcited data packet having a hid|en reserved field by extracting the contents of said 
hidden reserved field and authentication information fi*om said solicited data packet, the 
extracted information being sent to k gate keeper server. 



13. The system of claim 12 wherein said gate keeper server is accessible 



via the Internet. 



14. The system of cljim 12 wherein said authentication server uses a CGI 
script to parse said extracted informj^tion from said solicited data packet. 



15. The system of cLaim 12 wherein said gate keeper server compares said 
authentication information with a predefined database to determine if said originator 
access device is registered, and responds to the verification of the originator access 



device being registered by sending 
device. 



an unblock message to said network monitoring 



16. The system of daim 15 wherein said unblock message is encrypted 
with said second identification keyword. 



17. The system of c|aim 15 wherein upon verification of the originator 

II 

access device being registered, saic| gate keeper server decodes contents of said hidden 
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reserved field to determine the unic||ue hardware address of said originator access device 
and labeling said unblock message with said hardware address. 



18. The system of clbim 15 wherein said network monitoring device 
responds to receipt of said unblock message by updating a network access list to 
authorize said originator access device for Intemet access. 



out-going messages from said private 



^9. A system for rem()(tely authenticating a user on a private network via 
the Intemet, the system comprising: 

a network access devide for permitting said user access to said private 
network, said access device being characterized by a unique hardware; 

an authentication server accessible via the Intemet; 
a network monitoring <|evice for monitoring the destination address of all 

letwork to the Intemet and for scarming the content 
of any message whose destination is skid authentication server to search for a first 
predetermined identification code in s lid message, said network monitoring device 
responding to the detection of said fin t predetermined identification code by determining 
the hardware address of the access de|ice that originated the message and generating a 
second identification code based on s^d hardware address, said network monitoring 
device further inserting said second identification code in said message before forwarding 



said message to said authentication server; 

said authentication server responding to receipt of said forwarded message 
from said network monitoring device t^y decoding said hardware address from said 



25 



second identification code; a third identification code based on said hardware address 

I 

being generated and transmitted along w^th an unblock message to said network 
monitoring device. 



20. The system of claim 15^ wherein said network monitoring device 

I 

responds to said unblock message by updating a network access list to authorize for 
Internet access the user whose network access device has the same hardware address as is 
embedded in said third identification code. 



21. The system of claim 19 wherein said second identification code is 
further based on the Internet protocol address of said network monitoring device. 



22. The system of claim 15 wherein said third identification code is 
fiirther based on the Internet protocol address of said network monitoring device. 

23. The system of claim 19 wherein said network monitoring device 
responds to the absence of said first predetermined identification code in a message 
whose destination is said authentication server by forwarding said message to said 
authentication server with no modification to said message. 



24. The system of claim 19 wherein said network monitoring device is 

further effective for verifying if an out-^ing message is originated by an authorized user 

I 

and permitting all out-going messages fi^pm authorized users unimpeded access to the 

V 



26 



Internet, all messages from unauthorizeq users having their destination addresses 
inspected to determined if their destinati m is said authentication server, and responding 
to a destination address other than said a uthentication server by ignoring the destination 
address and forwarding the message to £ predetermined redirection server via the 
Litemet; 

whereby all out-going m^sages to the Internet are granted access to the 
Internet irrespective of whether the message is originated by an unauthorized user. 

25. The system of claim (24 wherein said redirection server responds to a 



received message from an unauthorized 



ser by sending the user's network access device 



a message instructing it to connect to said authentication server. 

26. The system of clainj 19 wherein said authentication server responds to 
a received message lacking said second] identification code by generating said first 
predetermined identification code based on location information of said private network, 
said authentication server fiirther sending the network access device that originated the 
message a questionnaire form soliciting authentication information from its respective 
user, said questionnaire form including a hidden reserved field and said first 

predetermined identification code. ; 

(J 
'i 
,1 

[I 

27. The system of claijbi 26 wherein said hidden reserved field is not 
accessible by the user that receives said questionnaire form. 
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28. The system of claim 26 wherein said hidden reserved field is preceded 
by said first predetermined identificatiorycode in said questionnaire form. 

29. The system of claim 26 wherein said network monitoring device 
inserts said second identification codqf in said hidden reserved field of any messages sent 
by a user to said authorization server/ 

30. The system of claim 26 fiirther having a gate keeper server, said 
authentication server fiirther beinglable to identified filled questionnaire forms received 
fi-om unauthorized users and beine effective for parsing out the user's authentication 
information along with said hardware address from said second identification code; 

said authentication information and hardware address being relayed to said 
gate keeper server for verification, said gate keeper server responding to the verification 
of an unauthorized user by generating said third identification code and transmitting said 
unblock message to said network monitoring device. 

31. The system of claim 30 wherein said gate keeper is accessed via a 
secure link from said authorization server. 



32. The system of claim 30 wherein said authorization server accesses 

. I 

said gate keeper server via the Internet. 
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